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London SW1A 2BQ 


Dear Paul, 
Netting-Off Agreement 


| am writing in follow-up to the letter of 3rd May 2022, confirming that HM Treasury had 
approved a netting-off agreement for the ICO. This letter is being issued to clarify the scope 
and processes of the agreement. 


The netting-off agreement is to cover legal costs (internal and external) for all enforcement 
action and litigation under the Data Protection Act 2018 (DPA) and Privacy and Electronic 
Communications Regulations 2003 (PECR). This is subject to a cap of £7.5m per financial 
year. 


Scope 


The netting-off agreement covers selected data protection legal costs, including those 
related to Privacy and Electronic Communications Regulations (PECR), as defined and 
agreed with HM Treasury. The costs in scope are enforcement, litigation and prosecution 
costs including: 


e External experts, for example technical reports, forensic analysis — audited through 
itemised invoices. 

External counsel - audited through itemised invoices. 

External paralegals - audited through itemised invoices. 

External solicitors - audited through itemised invoices. 

Internal legal staff costs directly attributable to enforcement, litigation and 
prosecutions (to include the cost of secondees and temporary staff) — audited 
through management account reports. 

Court fees — audited through invoice. 

Costs of court proceedings — audited through invoice. 

Settlement of adverse costs — audited through invoice. 

Specific training for staff and know-how resources — audited through invoice. 


The agreement will cover all Data Protection and PECR legal costs, including those 
associated with taking enforcement action, as well as covering all litigation costs. In scope 
costs will also cover litigation costs associated with civil claims and judicial reviews. This will 
include cases which do not end in litigation (for example, if an appellant withdraws their case 
but costs have already been incurred or if no litigation results from an enforcement action). 


The agreement came into force for the 2022/23 financial year. 


Monitoring 


As requested by HM Treasury, fine income will be monitored by DSIT Finance Business 
Partners, to ensure that there is not a disproportionate increase in enforcement for the 
purpose of revenue raising. 


We expect the ICO to follow the monitoring and reporting process agreed between DSIT 
Finance and the ICO in 2022, which includes quarterly reporting on actuals and forecast 
activity. Supporting data may also be requested. 


Review 


This agreement is subject to review, at which point HM Treasury can decide to suspend, 
amend, or revoke the agreement. Initially the agreement will be reviewed annually. From 
2024-25, it is anticipated that the agreement will be reviewed on a multi-year basis as part of 
the Spending Review process. 


No later than one month after the end of each financial year, you will be expected to provide 
a short, qualitative overview of the enforcement actions that the ICO has decided to take 
versus those it has not. 


This summary should provide details of how the ICO has carried out upstream activity and 
support to organisations to aid compliance with the law and prevent enforcement action 
being required. 


You will also be required to provide information against the following metrics: 


% of appeals upheld. 

% of investigations taken to enforcement action and/or fined. 
Number of fines issued. 

Fines collected. 

Fines written off in-year. 

Overall cost of enforcement activity year on year. 


This information should be provided to DSIT and HMT on an annual basis no later than one 
month after the end of each financial year. Ahead of a review, DSIT will provide further detail 
of what any returns need to cover if it differs from what is set out above. DSIT Finance 
should be the first point of contact for all aspects of the monitoring and review of the 
agreement. 


Thank you for your cooperation in providing information over the last few months whilst we 
have confirmed the details of the agreement with HM Treasury. 


Yours sincerely, 


Owen Rowland Meirion Nelson 


Deputy Director, Data Protection Policy Deputy Director, Finance Business Partnering 


